virus/worms killing a network...

[Guy Fraser]

Yes there are a number of tools, either included or available.

You can try iptraf , etherape , tcpdump or ethereal, but there are many
others.

When looking for bandwidth hogs I prefer etherape or iptraf.

You can get etherape for Fedora at :
http://dag.wieers.com/packages/etherape/

I have noticed a lot of DNS queries and SMTP traffic caused by
most virus infected machines lately. You can find them using tcpdump
if you filter destination ports 25 and 53, like this:

tcpdump -nvv -i eth1 dst port 25 or dst port 53

You will need to be root to run tcpdump, and press CTRL-C to
stop.

If your internal network is not on eth1 then change it to what your 
internal
interface is.

To reduce the impact of the infected machines, set up some firewall rules
only allowing SMTP {TCP port 25} connections to your SMTP server
from your internal machines. Also block all out going traffic on UDP ports
135,139 and 445. This will reduce your traffic and reduce the chance of 
your
internal machines from infecting other machines on the internet.

Good luck.

Cristiano Soares wrote:

> Hi All. Im desperate to get my network back working fine. Here is my 
> situation.
>
> I have a FC2 server that has two NICs. The first one is connect to my 
> ADSL router, and the other one is connected to a network that receive 
> IPs from that server through DHCPD service, and then the FC2 do the 
> firewall/masquerade. All the 30 machines can browse nice until 2 or 
> maybe more machines that has virus/worms get online. Ive seeing that 
> W32.MsBlast is the cause of most of these link down problems, but now, 
> it looks to be more than just w32.msblast. My queston is: IS THAT 
> POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 
> SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES 
> THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
>
>  
>
> Cristiano
>

-- 
Guy Fraser
Network Administrator
The Internet Centre
780-450-6787 , 1-888-450-6787